The <machineKey> Element configures
keys to use for encryption and decryption of forms authentication
cookie data and viewstate data,
and for verification of out-of-process session state identification. This
section
can be declared at the machine, site, and application levels, but not at
the subdirectory level.
For anybody that's running ASP.NET on a server farm, the <machineKey> element
is one of those guys you want to know as much as you can about IN ADVANCE
- before you run into problems!

The validationKey attribute specifies the key used for
validation of encrypted data. validationKey is used when enableViewStateMAC
is true
to create a
message
authentication
code (MAC) to ensure that view state has not been tampered with. ValidationKey
is also used to generate out-of-process, application-specific session IDs
to ensure that session state variables are isolated between sessions.

AutoGenerate specifies that ASP.NET generates a random
key and stores it in the Local Security Authority (LSA). The AutoGenerate
option is the default
value, but you definitely DON'T want this for a web farm! If you add the
IsolateApps modifier to the validationKey value, ASP.NET generates a unique
encrypted
key for
each
application
using
each
application's
application ID. For a web farm, you want to manually put in
your own keys and make sure they are EXACTLY THE SAME on each machine in
the farm.

The value attribute specifies a manually assigned validation
key. This value must be manually set to ensure consistent configuration
across
a network
of Web
servers (a
Web farm). The key must be a minimum of 40 characters (20 bytes) and
a maximum of 128 characters (64 bytes) long. If keys shorter than the
maximum length
are used, they should be created by a truly random means, such as by
using RNGCryptoServiceProvider, which we will show below. The recommended
key
length is 128 hexadecimal characters. If you add the IsolateApps modifier
to
the validationKey value, ASP.NET generates
a unique encrypted key for each application using each application's
application ID.

The decryptionKey attribute specifies the key used to
encrypt data. decryptionKey is used for Forms authentication encryption
and decryption
and for
view state encryption
when validation is 3DES.

The AutoGenerate attribute for decryptionKey specifies
that ASP.NET generates a random key and stores it in the LSA. The AutoGenerate
option
is the
default value. If you
add the
IsolateApps
modifier to the decryptionKey value, ASP.NET generates a unique encrypted
key for each application using each application's application ID.

The value attribute for decryptionKey specifies a manually
assigned key. This value must be manually set to a string of hexadecimal
characters
to ensure
consistent configuration
across
a Web farm. The key should be 16 characters in length when using
DES encryption
and 48 characters in length when using Triple DES encryption. If
keys shorter than the maximum length are used, they should be created
by
a truly random
means. ASP.NET can use Triple DES only on computers on which 128-bit
encryption is available. If you add the IsolateApps modifier to the
decryptionKey value, ASP.NET generates a unique encrypted key for
each application
using
each
application's application ID.

validation specifies the type of encryption used for validation
of data:

SHA1 specifies that ASP.NET uses SHA1 encryption.

MD5 specifies that ASP.NET uses MD5 encryption.

3DES specifies that ASP.NET uses Triple-DES (3DES)
encryption. When 3DES is specified, forms authentication defaults
to SHA1. When
the validation
attribute
is set to 3DES, the view state validation technique uses 3DES encryption.

In order to use the above as a programming exercise to provide something
useful, I've created a WebForm that creates the entire <machineKey>
element so that you can copy it to the clipboard and paste it into
the machine.config (or other config) file of each server on your farm.
Yay! No more corrupted viewState and other nasty messages
that you couldn't figure out until you were lucky enough to land on this
page! Enjoy.

And true to form, if you are just too lazy to download and play with
the code and you want to try it out online, I just happen to have my
free GenerateMachineKey page working right
over here. The Visual Studio.NET 2003 solution zip file
can be downloaded below (if you don't have VS.NET 2003, just start an
empty web project and add the files to it).:

Peter Bromberg is a C# MVP, MCP, and .NET consultant who has worked in the banking and financial industry for 20 years. He has architected and developed web - based corporate distributed application solutions since 1995, and focuses exclusively on the .NET Platform.